Version: (using KDE KDE 3.3.0) Installed from: Compiled From Sources OS: Linux The user should not be bothered with the dialog for accepting an incoming VNC connection until the password has been verified. Now anyone can harass the user with this popup as long as the user has an open invitation outstanding.
True.
I agree mostly, but one of the reasons for that design was that it allowed me to have krfb always running with a good conscience. Every bit of data from an unauthenticated host that is processed by a C application is a large risk. If there would be a bug (eg a buffer overflow) in the authentication code, this would be a fatal security problem. Every KDE system that has either an open invitation or a permanent password would be vulnerable. Asking the user for a confirmation before any data is processed solves that problem to some degree.
I have used krfb for remotely assisting users in the past, but this has become unusable because users were getting loads of connection requests from all over the internet. Maybe a whitelist of allowed remote hosts can solve this problem?
FYI: KRFB has been unmaintained for over a year now, despite numerous attempts to find someone interested in picking it up. Until someone does, the future of the program is uncertain.
Issue still stands in KDE4.3.